[nxlog-ce-users] Sending Windows event in Snare format to syslog

Fri, 01 Aug 2014 11:15:32 -0700 

Hello,
I am currently having issues with our SIEM (ArcSight) parsing Windows event
logs coming in the snare format. I have copied by config for review. For
some reason it is being viewed as generic syslog however at one time it was
correctly being identified as snare and was parsed. Nothing has changed in
the config or the endpoint. The only way I was able to get it parsed was to
add the line in output "Exec $raw_event = $EventID" which i know is wrong
but for some reason it worked even though i got errors in the nxlog log. I
assume it just gave up with the errors. Is there a correct way to do this
or does anyone have the correct syntax to send the logs in snare format or
a format that can be parsed by ArcSight?

<Extension syslog>
Module xm_syslog
</Extension>

<Input eventlog>
    Module      im_msvistalog
    ReadFromLast True
    Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[( (EventID &gt;= 4624 and EventID
&lt;= 4625)  or EventID=4647 or  (EventID &gt;= 4720 and EventID &lt;=
4760)  or  (EventID &gt;= 4778 and EventID &lt;= 4779)  or EventID=4781 or
 (EventID &gt;= 4800 and EventID &lt;= 4803) )]]</Select>\
    <Select
Path="Microsoft-Windows-Dhcp-Client/Operational">*[System[(EventID=50028)]]</Select>\
    <Select
Path="Microsoft-Windows-UnifiedWriteFilter/Operational">*[System[(EventID=1001
or EventID=1002)]]</Select>\
    <Select Path="Microsoft-Windows-Windows
Defender/Operational">*</Select>\
  </Query>\
</QueryList>
</Input>

<Output out>
    Module      om_tcp
    Host
    Port        514
    Exec to_syslog_snare();
    Exec $raw_event = $EventID;
</Output>

<Route 1>
    Path        eventlog => out
</Route>

Thanks
Josh

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to